-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathPathInjection.qhelp
More file actions
61 lines (53 loc) · 2.06 KB
/
PathInjection.qhelp
File metadata and controls
61 lines (53 loc) · 2.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Accessing files using paths constructed from user-controlled data can allow an
attacker to access unexpected resources. This can result in sensitive
information being revealed or deleted, or an attacker being able to influence
behavior by modifying unexpected files.
</p>
</overview>
<recommendation>
<p>
Validate user input before using it to construct a file path, either using an
off-the-shelf library like <code>ActiveStorage::Filename#sanitized</code> in
Rails, or by performing custom validation.
</p>
<p>
Ideally, follow these rules:
</p>
<ul>
<li>Do not allow more than a single "." character.</li>
<li>Do not allow directory separators such as "/" or "\" (depending on the file
system).</li>
<li>Do not rely on simply replacing problematic sequences such as "../". For
example, after applying this filter to ".../...//", the resulting string would
still be "../".</li>
<li>Use a whitelist of known good patterns.</li>
</ul>
</recommendation>
<example>
<p>
In the first example, a file name is read from an HTTP request and then used to
access a file. However, a malicious user could enter a file name which is an
absolute path, such as <code>"/etc/passwd"</code>.
</p>
<p>
In the second example, it appears that the user is restricted to opening a file
within the <code>"user"</code> home directory. However, a malicious user could
enter a file name containing special characters. For example, the string
<code>"../../etc/passwd"</code> will result in the code reading the file located
at <code>"/home/user/../../etc/passwd"</code>, which is the system's password
file. This file would then be sent back to the user, giving them access to all
the system's passwords.
</p>
<sample src="examples/tainted_path.rb" />
</example>
<references>
<li>OWASP: <a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.</li>
<li>Rails: <a href="https://api.rubyonrails.org/classes/ActiveStorage/Filename.html#method-i-sanitized">ActiveStorage::Filename#sanitized</a>.</li>
</references>
</qhelp>